audit: only allow tasks to set their loginuid if it is -1

At the moment we allow tasks to set their loginuid if they have CAP_AUDIT_CONTROL. In reality we want tasks to set the loginuid when they log in and it be impossible to ever reset. We had to make it mutable even after it was once set (with the CAP) because on update and admin might have to restart sshd. Now sshd would get his loginuid and the next user which logged in using ssh would not be able to set his loginuid. Systemd has changed how userspace works and allowed us to make the kernel work the way it should. With systemd users (even admins) are not supposed to restart services directly. The system will restart the service for them. Thus since systemd is going to loginuid==-1, sshd would get -1, and sshd would be allowed to set a new loginuid without special permissions. If an admin in this system were to manually start an sshd he is inserting himself into the system chain of trust and thus, logically, it's his loginuid that should be used! Since we have old systems I make this a Kconfig option. Signed-off-by: Eric Paris <eparis@redhat.com>
author: Eric Paris <eparis@redhat.com> 2012-01-03 14:23:08 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2012-01-17 16:17:00 -0500
commit: 633b45454503489209b0d9a45f9e3cd1b852c614 (patch)
tree: 591363d3be6b773f872b979727d4ac1a9691ec82 /init/Kconfig
parent: 0a300be6d5be8f66cd96609334710c268d0bfdce (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/init/Kconfig b/init/Kconfig
index a075765d5fbe..5ad8b775f2ac 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -372,6 +372,20 @@ config AUDIT_TREE
        depends on AUDITSYSCALL
        select FSNOTIFY
+config AUDIT_LOGINUID_IMMUTABLE
+        bool "Make audit loginuid immutable"
+        depends on AUDIT
+        help
+          The config option toggles if a task setting it's loginuid requires
+          CAP_SYS_AUDITCONTROL or if that task should require no special permissions
+          but should instead only allow setting its loginuid if it was never
+          previously set.  On systems which use systemd or a similar central
+          process to restart login services this should be set to true.  On older
+          systems in which an admin would typically have to directly stop and
+          start processes this should be set to false.  Setting this to true allows
+          one to drop potentially dangerous capabilites from the login tasks,
+          but may not be backwards compatible with older init systems.
 source "kernel/irq/Kconfig"
 menu "RCU Subsystem"
author	Eric Paris <eparis@redhat.com>	2012-01-03 14:23:08 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2012-01-17 16:17:00 -0500
commit	633b45454503489209b0d9a45f9e3cd1b852c614 (patch)
tree	591363d3be6b773f872b979727d4ac1a9691ec82 /init/Kconfig
parent	0a300be6d5be8f66cd96609334710c268d0bfdce (diff)

diff --git a/init/Kconfig b/init/Kconfig index a075765d5fbe..5ad8b775f2ac 100644 --- a/init/Kconfig +++ b/init/Kconfig
@@ -372,6 +372,20 @@ config AUDIT_TREE
372	depends on AUDITSYSCALL	372	depends on AUDITSYSCALL
373	select FSNOTIFY	373	select FSNOTIFY
374		374
		375	config AUDIT_LOGINUID_IMMUTABLE
		376	bool "Make audit loginuid immutable"
		377	depends on AUDIT
		378	help
		379	The config option toggles if a task setting it's loginuid requires
		380	CAP_SYS_AUDITCONTROL or if that task should require no special permissions
		381	but should instead only allow setting its loginuid if it was never
		382	previously set. On systems which use systemd or a similar central
		383	process to restart login services this should be set to true. On older
		384	systems in which an admin would typically have to directly stop and
		385	start processes this should be set to false. Setting this to true allows
		386	one to drop potentially dangerous capabilites from the login tasks,
		387	but may not be backwards compatible with older init systems.
		388
375	source "kernel/irq/Kconfig"	389	source "kernel/irq/Kconfig"
376		390
377	menu "RCU Subsystem"	391	menu "RCU Subsystem"